No phishing allowed
City of St. Catharines has added safeguards to thwart cyberattacks Cybersecurity and the safety of municipalities has been a hot topic in recent days in the wake of a ransomware attack on Hamilton
A city can have all the best technology tools to fight cyberattacks, but it’s the human factor that can be its downfall.
It’s why St. Catharines’ corporate information officer said the city has been diligently training staff to spot suspicious emails — going as far as sending fake phishing messages to test people and keep them on their toes.
“Everybody’s got to understand, even the best systems can get hacked if you’ve got users that are going to click on stuff,” said Les Garner, in charge of the city’s information technologies.
Cybersecurity and the safety of municipalities has been a hot topic in recent days in the wake of a ransomware attack on Hamilton that has continued to affect that city’s operations since Feb. 25.
Garner said cybersecurity has been a top priority for St. Catharines and the city has been slowly, methodically making changes over the past few years to improve its computer systems.
“The city has invested in cybersecurity security extensively over the last five years and is continuing to do that investment,” Garner said.
Garner couldn’t say if St. Catharines is protected from the same kind of attack affecting Hamilton’s systems because details of what happened in that city and how it occurred aren’t yet known or haven’t been disclosed.
But he said St. Catharines has been taking steps to protect its systems, including deploying end point protection on all its laptop computers, phones and other devices, and using software enhanced with artificial intelligence that monitors emails and infrastructure to stop anything deemed a potential breach.
The city uses multifactor authentication for its users and there’s conditional access for staff using email that limits where they can log in to Canada and the United States.
Cybersecurity has been added to the city’s request for proposals process to ensure vendors of new software have protections in place and much of the city’s software is on the cloud and can’t be hacked through local networks.
A key move, he said, has been replacing old technology.
Garner said for years the city was “relatively frugal” on spending money on IT systems, so in the past five years it has done extensive replacements. It also hires companies to do infrastructure audits.
“With municipalities and government, they don’t always have a lot of money so sometimes systems get quite old. And when servers get to the point where they’re no longer being patched, they become a vulnerability,” he said, adding there have been cases of hospitals getting hacked while running old software because it’s expensive to replace.
St. Catharines has cybersecurity insurance, which Garner said it was only able to obtain by demonstrating to the insurer it’s following best practices.
“These days when everybody’s worried about taxes being raised, sometimes IT is a secondary thought. Fortunately, at the city, we don’t have that problem. Our leadership recognizes the importance of keeping up to date on our computer systems and we’ve done some huge refreshes recently,” he said.
Still, it’s everyone’s responsibility to ensure the city’s systems are as safe as can be and emphasis is placed on educating employees.
That includes running phishing training exercises that will send out emails to all staff accounts telling them their IDs and passwords need to be reset.
“If they click on it, the window pops up and tells them, ‘You just fell for the phishing exercise. Here’s what you should have noticed.’”
Garner’s advice — don’t use the same passwords for personal accounts like social media and for work accounts. And don’t open attachments if you don’t know the sender or why you’re getting the email.